[pve-devel] applied: [RFC firewall 0/8] rebased ebtables patches

[Thomas Lamprecht]

applied whole series with the followup one, thanks!

Am 03/28/2018 um 10:53 AM schrieb Wolfgang Bumiller:
> While on the one hand I'd like to move to nftables, and on the other
> hand I like the idea of attaching xdp programs to interfaces for the
> purpose of eg. MAC filtering, we do still have this patch series around
> which wasn't much work to rebase to the current code base and does its
> job...
> Back when the series was originally posted the issue was mostly the lack
> of a (proper) ebtables package (missing ebtables-save/restore). We don't
> have this problem anymore, so why not give this a go?
> 
> The changes I made to the patches I took off the list should be rather
> obvious: openvz -> lxc, and replcing the hardcoded ethertype list with
> reading /etc/ethertypes (which gets shipped with the ebtables package).
> Some whitespace cleanup and I renamed 'layer2filter_protocols' to just
> 'layer2_protocols' (and avoided the generation of `-j DROP` followed by
> `-j ACCEPT`).
> 
> (Oh and, patch 4 is actually unrelated, I just came across that while
> adding the ethertypes file parsing...)
> 
> @Alexandre, @Stefan Priebe:
> if you're still using the patches it might be good to
> compare/check/update, not sure if you kept rebasing them?
> 
> Alexandre Derumier (2):
>    compile ebtables rules
>    apply ebtables_ruleset
> 
> Wolfgang Bumiller (6):
>    split parser out of get_etc_protocols
>    parse_protocol_file: support lines without end comments
>    add get_etc_ethertypes
>    /etc/services can also define 'sctp' services
>    avoid double spaces in ruleset_addrule
>    add ebtables dependency
> 
>   debian/control                  |   3 +-
>   debian/example/100.fw           |   3 +
>   src/PVE/Firewall.pm             | 240 +++++++++++++++++++++++++++++++++++++---
>   src/PVE/Service/pve_firewall.pm |  14 ++-
>   4 files changed, 241 insertions(+), 19 deletions(-)
>